The vulnerability is a use‑after‑free error located in the user interface of Google Chrome. The flaw can be triggered by a specially crafted HTML page that causes a memory pointer to be accessed after the memory has been freed. When this occurs, a remote attacker may be able to escape Chrome’s sandbox, potentially executing arbitrary code outside the browser process. The weaknesses are identified as CWE‑416 and CWE‑825, highlighting memory safety issues that can lead to privilege escalation and integrity compromise.

All users running Google Chrome versions prior to 148.0.7778.216 are affected. The issue applies to all platforms where the Chrome browser includes the vulnerable UI component. Versions newer than 148.0.7778.216 are not impacted as the patch has been applied.

The vulnerability has a CVSS score of 8.3, indicating high severity, and is listed as a use‑after‑free that can lead to sandbox escape. The EPSS score is < 1%, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting that documented public exploitation is not yet confirmed. However, the nature of the flaw—remote exploitation via a crafted HTML page—may allow an attacker to design an exploit that could be delivered through a malicious website or email attachment. Given this possibility, the risk remains significant until the software is updated to the fixed version. The likely attack vector is an attacker‑controlled web page that the victim opens in Chrome, allowing the exploit to be delivered without additional credentials.